diff --git a/CHANGES b/CHANGES
index 5aee60707..a6e0ba153 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2202,4 +2202,5 @@
 * proxyAuth: fix docker UA detection
 * registry config: add UI to disable it
 * update solr to 8.8.0
+* firewall: fix issue where script errored when having more than 15 wl/bl ports
 
diff --git a/setup/start/cloudron-firewall.sh b/setup/start/cloudron-firewall.sh
index 77b470648..2e2f730dd 100755
--- a/setup/start/cloudron-firewall.sh
+++ b/setup/start/cloudron-firewall.sh
@@ -20,20 +20,18 @@ fi
 iptables -t filter -A CLOUDRON -m state --state RELATED,ESTABLISHED -j ACCEPT
 iptables -t filter -A CLOUDRON -p tcp -m tcp -m multiport --dports 22,25,80,202,443 -j ACCEPT # 202 is the alternate ssh port
 
-# whitelist any user ports
+# whitelist any user ports. we used to use --dports but it has a 15 port limit (XT_MULTI_PORTS)
 ports_json="/home/yellowtent/boxdata/firewall/ports.json"
 if allowed_tcp_ports=$(node -e "console.log(JSON.parse(fs.readFileSync('${ports_json}', 'utf8')).allowed_tcp_ports.join(','))" 2>/dev/null); then
-    IFS=',' arr=(${allowed_tcp_ports});
-    for p in "${arr[@]}"
-    do
+    IFS=',' arr=(${allowed_tcp_ports})
+    for p in "${arr[@]}"; do
         iptables -A CLOUDRON -p tcp -m tcp --dport "${p}" -j ACCEPT
     done
 fi
 
 if allowed_udp_ports=$(node -e "console.log(JSON.parse(fs.readFileSync('${ports_json}', 'utf8')).allowed_udp_ports.join(','))" 2>/dev/null); then
-    IFS=',' arr=(${allowed_udp_ports});
-    for p in "${arr[@]}"
-    do
+    IFS=',' arr=(${allowed_udp_ports})
+    for p in "${arr[@]}"; do
         iptables -A CLOUDRON -p udp -m udp --dport "${p}" -j ACCEPT
     done
 fi